ISO 27701 – Clause 5.8 – Improvement

ISO 27701 Clause 5.8 focuses on continuous improvement of a Privacy Information Management System (PIMS) by identifying, addressing, and resolving nonconformities to enhance privacy practices and compliance.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 21 February 2025
LinkedIn Twitter Twitter

Enhancing Privacy Management: Continuous Improvement Under ISO 27701 Clause 5.8

For the purposes of ISO adherence – across all information security and privacy protection standards – nonconformity can broadly be defined as any failure to meet a clause-specific standard.

Nonconformities can occur within internal or external guidance points, either towards an organisation’s own set of policies and procedures, or as applicable towards their regulatory and/or legal requirements as a PII processor.

What’s Covered in ISO 27701 Clause 5.8

ISO 27701 Clause 5.8 deals with an organisation’s ability to detect, manage, resolve and evaluate nonconformities within the scope of a PIMS, and its broader privacy protection policy.

The guidance revolves around two key stages – dealing with nonconformities at point of discovery, and what should happen in order to prevent them from recurring.

Both of ISO 27701 5.8’s sub-clauses contain information provided within ISO 27001, but in the case of ISO 27701, are instead applicable to nonconformities within privacy protection and PIMS management.

  • ISO 27701 5.8.1 – Nonconformity and corrective action (References ISO 27001 Control 10.1)
  • ISO 27701 5.8.2 – Continual improvement (References ISO 27001 Control 10.2)

ISO 27701 5.8 doesn’t contain any additional guidance for PIMS-related activities, other than what is provided in the context of ISO 27001, and doesn’t hold any relevance within GDPR.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo


ISO 27701 Clause 5.8.1 – Nonconformity and Corrective Action

References ISO 27001 Control 10.1

When the organisation discovers a nonconformity, they should:

  1. Minimise the risks involved and take corrective actions as appropriate.
  2. Carefully consider any consequences, and take steps to address them.
  3. Keep in mind the need to both eliminate the nonconformity and prevent it from happening again. This should be done by:

    • Establishing why it happened.
    • Exploring the potential of similar occurrences where privacy is paramount, and PII is a consideration.

  4. Evaluate the effectiveness of any remedial steps taken.
  5. Amend the PIMS to account for any changes that have been made, or need to be made in order to improve its effectiveness.

ISO stipulates that any corrective action taken should be proportionate to the risks caused by the nonconformity itself.

Documented evidence should be retained to evidence:

  • The underlying nature of the nonconformity.
  • Any remedial actions that have been taken.
  • How those actions have impacted upon privacy protection, PII and the ongoing development of a PIMS.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


ISO 27701 Clause 5.8.2 – Continual Improvement

References ISO 27001 Control 10.2

Organisations should ask themselves three questions when seeking to improve their PIMS, and by proxy, their privacy protection policy:

  • Suitability – Is the PIMS a good fit for the nature of their operation, and the kind of PII and information they process on a regular basis?
  • Adequacy – Does the PIMS have sufficient operational capacity to carry out its role, and does it contain features relevant to the organisation’s responsibilities?
  • Effectiveness – Is the PIMS doing its job, within the scope of what’s required of it?

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27001 Requirement Associated GDPR Articles
5.8.1 Nonconformity and Corrective Action
10.1 – Nonconformity and Corrective Action for ISO 27001
 		None
5.8.2 Continual Improvement
10.2 – Continual Improvement for ISO 27001
 		None

How ISMS.online Helps

By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27001 and ISO 27701 at the click of a button.

Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online by booking a demo.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!